一、SQL注入實例
后臺的插入語句代碼:
$unsafe_variable = $_POST['user_input'];
mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");
當POST的內容為:
value'); DROP TABLE table;--
以上的整個SQL查詢語句變成:
INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')
二、防止SQL注入措施
1.使用預處理語句和參數化查詢。(‘Use prepared statements and parameterized queries.’)?
SQL語句和查詢的參數分別發送給數據庫服務器進行解析。這種方式有2種實現:?
(1)使用PDO(PHP data object)
$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute(array('name' => $name));
foreach ($stmt as $row) {
// do something with $row
}
(2)使用MySQLi
$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?'); $stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
// do something with $row }
2.對查詢語句進行轉義(最常見的方式)
$unsafe_variable = $_POST["user-input"];
$safe_variable = mysql_real_escape_string($unsafe_variable);
mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");
$mysqli = new mysqli("server", "username", "password", "database_name");
// TODO - Check that connection was successful.
$unsafe_variable = $_POST["user-input"];
$stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)");
// TODO check that $stmt creation succeeded
// "s" means the database expects a string
$stmt->bind_param("s", $unsafe_variable);
$stmt->execute();
$stmt->close();
$mysqli->close();
3.限制引入的參數
$orders = array("name","price","qty"); //field names
$key = array_search($_GET['sort'],$orders)); // see if we have such a name
$orderby = $orders[$key]; //if not, first one will be set automatically. smart enuf :)
$query = "SELECT * FROM `table` ORDER BY $orderby"; //value is safe
4.對引入參數進行編碼
SELECT password FROM users WHERE name = 'root' --普通方式
SELECT password FROM users WHERE name = 0x726f6f74 --防止注入
SELECT password FROM users WHERE name = UNHEX('726f6f74') --防止注入
set @INPUT = hex("%實驗%");
select * from login where reset_passwd_question like unhex(@INPUT) ;
)
,Ubuntu中不能使用搜狗輸入法錄入漢字問題...)
.docx)
)
)
)
)
)